/**
 * Two-Secret Key Derivation (2SKD)
 *
 * Combines password-derived key with LocalSecret using XOR.
 * This follows the 1Password security model where both secrets
 * are required to derive the Key Encryption Key (KEK).
 *
 * Security properties:
 * - Password alone cannot derive KEK
 * - LocalSecret alone cannot derive KEK
 * - Both are required, providing two-factor encryption
 *
 * Issue #1649
 */
import type { Argon2idConfig, KdfResult } from "./types";
/**
 * Derive KEK using Two-Secret Key Derivation
 *
 * Combines:
 * 1. Password → Argon2id → 32 bytes
 * 2. LocalSecret → 32 bytes
 * 3. XOR(1, 2) → KEK
 *
 * @param password - User's password
 * @param config - Argon2id configuration
 * @param localSecret - Device-bound LocalSecret (32 bytes)
 * @returns KdfResult containing the derived KEK
 * @throws LocalSecretRequiredError if localSecret is not provided but required
 */
export declare function deriveTwoSecretKdf(password: string, config: Argon2idConfig, localSecret: Uint8Array | null | undefined): Promise<KdfResult>;
/**
 * Verify that a LocalSecret is valid
 *
 * @param localSecret - The LocalSecret to verify
 * @returns true if valid
 */
export declare function isValidLocalSecret(localSecret: Uint8Array | null | undefined): localSecret is Uint8Array;